This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection vulnerabilities", "steal cookies via XSS", or "bypass content security policies". It provides comprehensive techniques for detecting, exploiting, and understanding XSS and HTML injection attack vectors in web applications.
>_
Quick Install
npxskills add zebbern/claude-code-guide--skill "Cross-Site Scripting and HTML Injection Testing"
Instructions
Loading…
Tags & Topics
aiai-agentai-agent-toolsclaudeclaude-aiclaude-api
Cross-Site Scripting and HTML Injection Testing
Purpose
Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.
Inputs / Prerequisites
Required Access
Target web application URL with user input fields
Burp Suite or browser developer tools for request analysis
Access to create test accounts for stored XSS testing
Browser with JavaScript console enabled
Technical Requirements
Understanding of JavaScript execution in browser context
Knowledge of HTML DOM structure and manipulation
Familiarity with HTTP request/response headers
Understanding of cookie attributes and session management
Legal Prerequisites
Written authorization for security testing
Defined scope including target domains and features
Agreement on handling of any captured session data
Incident response procedures established
Outputs / Deliverables
XSS/HTMLi vulnerability report with severity classifications
Remediation recommendations with CSP configurations
Core Workflow
Phase 1: Vulnerability Detection
Identify Input Reflection Points
Locate areas where user input is reflected in responses:
# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)
Basic Detection Testing
Insert test strings to observe application behavior:
<!-- Basic reflection test -->
<test123>
<!-- Script tag test -->
<script>alert('XSS')</script>
<!-- Event handler test -->
<img src=x onerror=alert('XSS')>
<!-- SVG-based test -->
<svg onload=alert('XSS')>
<!-- Body event test -->
<body onload=alert('XSS')>
Monitor for:
Raw HTML reflection without encoding
Partial encoding (some characters escaped)
JavaScript execution in browser console
DOM modifications visible in inspector
Determine XSS Type
Stored XSS Indicators:
Input persists after page refresh
Other users see injected content
Content stored in database/filesystem
Reflected XSS Indicators:
Input appears only in current response
Requires victim to click crafted URL
No persistence across sessions
DOM-Based XSS Indicators:
Input processed by client-side JavaScript
Server response doesn't contain payload
Exploitation occurs entirely in browser
Phase 2: Stored XSS Exploitation
Identify Storage Locations
Target areas with persistent user content:
- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences
Techniques for delivering reflected XSS to victims:
1. Phishing emails with crafted links
2. Social media message distribution
3. URL shorteners to obscure payload
4. QR codes encoding malicious URLs
5. Redirect chains through trusted domains
Phase 4: DOM-Based XSS Exploitation
Identify Vulnerable Sinks
Locate JavaScript functions that process user input: